Mail Server Series — Part 1
In most enterprise environments, a reliable, secure, and maintainable mail system is one of the most critical components of the IT infrastructure.
This series will guide you through building a fully functional Docker-based mail ecosystem, covering:
- SMTP/IMAP/POP3 services
- Anti-spam / anti-virus filtering
- User management via MySQL
- Sieve filtering rules
- Quota + user notifications
- Email archiving and full-text search
- Webmail interface
- TLS/SNI multi-domain support
- Reverse proxy and HTTPS integration
By the end of the series, you will have a production-ready, fully controllable email infrastructure.
🎯 Goals of This Series
This guide explains how to build a mail system that provides:
✔ Multi-domain support
✔ Virtual users stored in MySQL
✔ Postfix + Dovecot as the core MTA/MDA
✔ Amavis, SpamAssassin, ClamAV for filtering
✔ Sieve + IMAPSieve rules
✔ Quota enforcement + warning emails
✔ Bayes + TxRep + remote spam/ham learning
✔ Piler for email archiving
✔ ManticoreSearch for Chinese full-text indexing
✔ Roundcube Webmail with Sieve editor
✔ Apache reverse proxy with HTTPS
✔ Let’s Encrypt certificate auto-renewal
✔ Postfix/Dovecot TLS SNI support
✔ Fully containerized microservice architecture
Each upcoming article will focus on one component or topic in detail.
🏗 System Architecture (Big Picture)
The entire mail environment is composed of multiple Docker services:
+------------------------+
| Apache Reverse Proxy |
| HTTPS / SNI / Cert |
+-----------+------------+
|
https://webmail.domain https://archive.domain
|
+-------------------+---------------------+
| |
+---------------+ +-----------------------------+
| Roundcube | | Piler |
| Webmail | <- LMTP ----- | Archiving + Search UI |
+---------------+ +--------------+--------------+
|
| SQL / Search
v
+---------------------------+
| Manticore Search |
| (ICU Chinese, N-gram) |
+---------------------------+
SMTP / IMAP Core
---------------------------------------------------------------
+-------------------------+
| Postfix | → SMTP, SNI, policy checks
+-----------+-------------+
| LMTP
+-----------v------------+
| Dovecot | → IMAP/POP3, LMTP, Sieve, Quota
+-----------+------------+
|
v
+----------------+
| User Maildirs |
+----------------+
Content Filtering (Anti-Spam / Anti-Virus)
---------------------------------------------------------------
Postfix → Amavis → SpamAssassin/ClamAV → Postfix
+------------------------------------------+
| Amavis + SpamAssassin + ClamAV |
| - DKIM/SPF/Spam score |
| - Virus scanning |
| - Header rewriting |
+------------------------------------------+
Email Archiving via Milter
---------------------------------------------------------------
Postfix → Piler-Milter → add X-Envelope-To → Piler
Database Layer
---------------------------------------------------------------
|
+-------------------------+
| MariaDB |
| Postfixadmin / SA / |
| Piler backend |
+-------------------------+
🔧 Component Overview
1️⃣ Postfix — SMTP MTA (multi-domain, SNI, MySQL)
Postfix handles:
- All incoming/outgoing SMTP traffic
- MySQL-based virtual domains/users
- TLS SNI for multi-domain certificates
- SASL authentication (via Dovecot)
- Content filtering with Amavis
- Email archiving via milter
2️⃣ Dovecot — IMAP / POP3 / LMTP / Sieve / Quota
Dovecot provides:
- IMAP/POP3 services
- LMTP for local delivery
- Maildir management (vmail user)
- Sieve filtering rules
- IMAPSieve for spam/ham learning
- Quota and usage warning emails
3️⃣ Amavis + SpamAssassin + ClamAV
Mail passes through:
Postfix → Amavis → SpamAssassin → ClamAV → Amavis → Postfix
Provides:
- Virus scanning
- Spam detection (Bayes, TxRep, DNSBL)
- DKIM validation/signing
- Spam tagging
4️⃣ Postfixadmin — Domain & User Management
A convenient web UI for:
- Domain & mailbox creation
- Alias & forwarding
- Password management
- Sync with MariaDB tables
5️⃣ Piler — Email Archiving & Compliance
Piler stores every inbound/outbound message and offers:
- Audit-ready email retention
- Search by sender, recipient, subject, etc.
- Restore emails via IMAP
To support Chinese full-text search, it integrates with:
🔍 ManticoreSearch (ICU Chinese)
- ICU Chinese tokenizer
- 2-character N-gram indexing
- Real-time index for Piler
6️⃣ Piler-Milter — X-Envelope-To Header Injection
Ensures Piler knows ALL actual envelope recipients, enabling:
- Correct user access permissions
- Accurate multi-recipient search
7️⃣ Roundcube Webmail + Sieve Editor
Provides:
- Webmail interface
- IMAP client
- SMTP sending
- Sieve filter management (Managesieve)
8️⃣ Apache Reverse Proxy + HTTPS
Handles:
- Virtual hosts (webmail.domain / archive.domain)
- TLS offloading
- Let’s Encrypt certificate renewal
- Integration with backend containers
📚 Upcoming Articles in This Series
This series is structured as follows:
📘 Part 1 — Overview (this article)
📙 Part 2 — Network Architecture, DNS, TLS & SNI Design
MX / SPF / DKIM / DMARC fundamentals
Let’s Encrypt + automated reload
Postfix/Dovecot SNI inbound/outbound design
📗 Part 3 — MariaDB + Postfixadmin (Virtual Domains)
Database schema
Postfix lookup tables
Postfixadmin deployment
📘 Part 4 — Custom-Built Postfix 3.10.x with MySQL/SNI
Postfix compile flags (MySQL/LMDB/PCRE2/SASL/TLS)
main.cf / master.cf deep dive
Amavis & SNI integration
📙 Part 5 — Dovecot (IMAP/POP3/LMTP/Sieve/Quota)
LMTP delivery flow
IMAPSieve spam/ham learning
Quota warning system
📗 Part 6 — SpamAssassin 4.0: SQL Bayes, TxRep, sa-update, Remote Learning & Full Docker Deployment Guide
Overview of the SpamAssassin Architecture
Why SQL Bayes + TxRep Instead of Local Files
SpamAssassin Docker Deployment
local.cf – SQL Bayes + TxRep Configuration
Fully Automated Learning via IMAPSieve
Daily Rule Updates – sa-update & sa-compile
Integrating SpamAssassin with Amavis
MySQL Schema Fixes Required by SA 4.0
Full SA Flow Diagram
Recommendations & Best Practices
📘 Part 7 — Amavis + ClamAV + DKIM: The Complete Flow of Virus Scanning, Spam Filtering, and Mail Signing
The Role of Amavis
Mail Flow Through Amavis
Amavis Docker Container Structure
Integrating ClamAV
Integrating SpamAssassin
DKIM Signing and Verification
Postfix ↔ Amavis Port Assignments
Policy Banks
Logs and Debugging
Security Testing
📙 Part 8 — Piler + Manticore Chinese Full-Text Search
Piler deployment
X-Envelope-To pipeline
Manticore ICU indexing
📗 Part 9 — Roundcube Webmail + Managesieve
IMAP/SMTP TLS
Reverse proxy
Sieve rules UI
📘 Part 10 — Full System Architecture, Mail Flow Diagrams, Monitoring, Backups, Hardening & Performance Tuning
Final System Architecture Diagram
Complete Mail Flow
Monitoring and Log Analysis
Backup Strategy
Security Hardening
Performance Tuning
Automation
Final Recommendations
📙 Part 11 — Final Chapter: Complete Troubleshooting Guide & Frequently Asked Questions (FAQ)
How to Identify Which Component Is Failing
Outbound Delivery Issues (Cannot Send Email)
Inbound Delivery Issues (Cannot Receive Email)
Webmail (Roundcube) Login Issues
Dovecot Troubleshooting
SpamAssassin / Amavis Issues
Piler Troubleshooting
Manticore Troubleshooting
Postfix Common Errors
FAQ — Frequently Asked Questions
📗 Part 12 — High Availability Architecture, Failover, GeoDNS, Monitoring, and Email Abuse Automation (SOAR)
Why Email High Availability Matters
High Availability Architecture Options
Failover Strategy
GeoDNS – Multi-Region Traffic Routing
Monitoring Architecture
SOAR — Email Abuse Response Automation
Security Hardening Checklist
Future Enterprise-Grade Enhancements
📘 Part 13 — Deployment Scripts + Enterprise Maintenance SOP
Complete Architecture Summary
Recommended Deployment Order
Unified Deployment Script (installer.sh)
Enterprise SOP (Standard Operating Procedures)
Common Issues & Troubleshooting Flow
Documents Recommended for Long-Term Maintenance
📙 Part 14 — Final Architecture, Operations Checklist, and Future Expansion
Final Architecture Overview
Mail Flow Summary (End-to-End)
Operations Checklist (Daily / Weekly / Monthly)
Security Hardening Checklist
Future Expansion Ideas
📗 Part 15 — High Availability, Scalability, and Long-Term Operations Guide
High-Level Overview of Redundancy & Scalabilit
High Availability for Postfix & Dovecot
MariaDB Redundancy Strategies
HA for Piler + ManticoreSearch
HA for Roundcube, PostfixAdmin, Piler Web UI
Multi-Site / Multi-Country Deployment
Monitoring Strategy (Mandatory for Production)
Operational Automation
Troubleshooting SOP
Disaster Recovery Guide
📘 Part 16 — Full-Stack Monitoring & Alerting for an Enterprise-Grade Mail Platform
What Should You Monitor in a Mail Platform
Recommended Full Monitoring Architecture
Required Exporters
Grafana Dashboards
Alerting Rules
External Probing
Centralized Alert Delivery
Deployment Recommendations for Your Environment
📙 Part 17 — Enterprise Email Security, Auditing, and Data Governance: A Complete Technical Guide
Security Governance — The First Line of Defense
Audit Governance — Ensuring Traceability & Accountability
Data Governance — The Legal and Compliance Backbone
Incident Response (IR): Email Security Playbook
Zero Trust Email Architecture
Suggested Enhancements (Advanced Level)
📗 Part 18 — Backup, Disaster Recovery (DR), and Multi-Site Deployment Strategy for an Enterprise Mail System
Why Backup and DR Are Critical for a Mail System
Full Backup Checklist (8 Mission-Critical Items)
Recommended Backup Strategy
Backup Frequency Plan (Daily / Weekly / Monthly)
Complete Disaster Recovery (DR) Procedures
Designing a Multi-Site DR Architecture (Advanced)
Recommended Automation Scripts
📘 Part 19 — Daily Operations, Monitoring, and Performance Tuning for an Enterprise Mail System
Daily Routine Checks
Weekly Checks
Monthly Maintenance
Performance Tuning
Monitoring Architecture
Security Operations
Troubleshooting SOP
📙 Part 20 — Strengthening Mail Server Security
TLS — Secure Transport Layer Encryption
SPF — Sender Policy Framework
DKIM — DomainKeys Identified Mail
DMARC — Domain-Level Anti-Spoofing Policy
MTA-STS — Enforced Secure SMTP Transport
DANE — DNSSEC-Protected TLS Assurance
Enterprise-Grade Mail Security Checklist